Chris Hager

started a topic
6 months ago

Malicious URL Blocking, HTTPS (Endpoint Security)

If at all possible, I'd like to see HTTPS added to URL blocking. With Google's recent push to "shame" even basic non-transaction websites for not using HTTP, almost everything is HTTPS now. And if I were a bad actor, 100% of my payload downloads would certainly be encrypted via https.

Since a DNS query already requires pulling the TLD from the URL for lookup anyway, it seems like there's still an opportunity to have this feature remain (or become) viable as http requests become a thing of the past.

1 person likes this idea

David Corlette

said
6 months ago

Hi Chris,

As you alluded to above, HTTPS is becoming ever more prevalent and protecting endpoints from malicious payloads delivered via HTTPS is becoming more important. That said, HTTPS is very tricky because by design, you are not supposed to be able to look at the content within the traffic - that's the whole point.

Current solutions that look inside HTTPS traffic are difficult, and basically boil down to middleboxes or local proxies that serve as HTTPS endpoints, decrypt the stream, and then establish a new HTTPS session with the real server. This works, sort of, but introduces a host of security issues (a recent review of the security of middleboxes found many problems) and involves complex setup such as registering a new trusted root cert on your endpoints. And with more and more sites moving to HSTS, certificate pinning, etc these will become less effective.

All hope is not lost, however, and we already do several things to protect HTTPS traffic, with more coming.

The first line of defense is the IDS built into our Endpoint Security agent. The IDS can't look inside HTTPS content, but there are plenty of malicious signatures present even in the TCP headers that can be detected, for example the IP address of the server being visited.

The second line of defense is the actual anti-malware engine, which does two things: first, it will scan any files dropped by any websites that serve up malicious content. Since most malware still attempts to do something to remain persistent on your disk, we can catch it at that point. Second, Advanced Active Protection will monitor any running process, including your web browser, for any activity that appears to be malicious. This protects against even file-less malware and script running in your browser.

So what we have today already provides a very solid defense against potential malware, even for HTTPS sites. But with malware becoming ever more evasive, we have more coming. A future release of our endpoint agent will add:

- Improved IDS capabilities

- True DNS sinkholing to block access to any known malicious domains/IPs

In fact, we'll be releasing a completely new network protection stack for our agent in the coming months with the capabilities listed above, but then we will be building additional advanced capabilities on top of that new platform.

HTH

L

Luke Papenfuss

said
6 months ago

Just want to add that I'd rather not have HTTPS scanning/blocking due to the associated security risks you mentioned David. Great to hear about those upcoming features though!